MelAbu WP Download Counter Button WordPress Plugin Unauthenticated Arbitrary File Download Vulnerability

A vulnerability exists in the MelAbu WP Download Counter Button WordPress plugin, affecting versions through 1.8.6.7. The plugin fails to validate the paths of files intended for download, potentially allowing unauthenticated attackers to read or download arbitrary files from the server.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, such as the passwd file, depending on the file system permissions of the PHP process.

Reproduction

The vulnerability can be reproduced by sending a request to the 'download.php' endpoint of the 'count' function within the 'download-counter-button' plugin. The request must include the 'durl' parameter with a crafted URL that points to a file accessible on the server, such as '/etc/passwd'. The 'dtp' parameter can be set to any string, as there are no validation checks, and the 'dabp' parameter should be set to '/' to force the plugin to read the specified file from the root directory.